What is claimed is: 

1. A method for generating an identity-based ring 
signature by using bilinear pairings, in a cryptosystem that 
5 includes a user, a signer and a trusted authority, which 
comprises the steps of: 

(a) at the trusted authority, generating a set of 
system parameters shared by the user and the signer and 
storing the set of system parameters in a memory of each of 

10 the user and the signer; 

(b) at the trusted authority, generating a public key 
and a private key for the user and the signer by using the 
set of system parameters, thereby transmitting the generated 
public and the private keys to the user and the signer 

15 through a secure channel, respectively; 

(c) at the user, concealing content of a message and 
requesting a ring signature for the content-concealed 
message to the signer; 

(d) at the signer, producing the ring signature based 
20 on identity (ID) of the user, thereby forming an ID-based 

ring signature for the content-concealed message; and 

(e) at the user, verifying validity of the ID-based 
ring signature. 

25 2. The method of claim 1, wherein the step (a) includes the 
steps of: 
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(al) introducing a cyclic group G of an order q by 
means of a generator P, wherein the cyclic group G is an 
elliptic or hyper-elliptic curve Jacobian; 

(a2) producing a multiplicative cyclic group V of the 
order q by using a bilinear pairing e expressed as the 
following Equation: 

e; G X G y 

(a3) determining cryptographic hash functions 

H: {0,1}" Zg* and Hi: -{0,1}* G/ 
wherein Zg* is a multiplicative cyclic group corresponding to 
V; and 

(a4) selecting a master key s of the trusted authority 
and preparing a public key Ppub of the trusted authority by 
using the master key s and the generator P by using the 
following Equation 

3. The method of claim 2, wherein the set of system 
parameters has g, Pput^ H and Hi, 

4. The method of claim 3, wherein the public key Qioi and 
the private key Sidi of the user are stored in a memory of 
the user, which are defined by using the following 
Equations : 

QiDi = Hi(IDi) and Sipi ^ s • Qjdx 
where IDi is the user's identity, i being a user index which 



is an integer ranging from 1 to n. 



5. The method of claim 4, wherein the step (d) includes 
the steps of: 

(dl) selecting an ID list L, wherein L is a set of 
identities of users; 

(d2) extracting a random element A of the cyclic group 
thereby computing an initial signature value by using the 
ID list L; 

(d3) choosing a random value of the cyclic group, 
thereby computing additional signature values by using the 
ID list L; 

(d4) generating a ring signature value by using the 
private key of the signer; 

(d5) forming a ring of ring signature values by 
selecting zero as a glue value of the additional signature 
values; and 

(d6) storing in a memory of the user the ID-based ring 
signature of n+1 ring signature values. 

6. The method of claim 5, wherein, at the signer, the 
initial signature value, Ck+i, is computed by using the 
following Equation: 

Ck^i = H(L II m II e(A, P) ) , 
wherein k is a signer index and m is the content-concealed 
message . 



7. The method of claim 6, wherein an additional signature 
value is computed by using the following Equation: 

Ci^i = H(L \\ m II e(Ti, P) e(Ci HidD^) , P^^^) ) 
for "'i'f corresponding to one of values of all modulo n (k+1, 
r n-1^ 0, 1 and .k-1) , and then stored in a memory of the 
signer wherein Ti is the random value of the cyclic group G. 

8. The method of claim 7, wherein the ring signature 
value, Tk, is calculated by using the following Equation: 

Tk = A - Ck SjDkf 
and stored in a memory of the signer. 

9- The method of claim 8, wherein the ID-based ring 
signature is a sequence (cq^ Tq^ Ti,---, Tn-i) , which is 
stored in a memory of the user. 

10. The method of claim 9, wherein the validity of the ID- 
based ring signature is determined by using the following 
Equations : 

Ci,^i = H( L \\ m \\ e(A, P) ) 

cj,^2 = H( L \\ m \\ e(T)c^2, P) e(Cjc^x Hi(IDj,^2)r Ppub) ) 

Cn = H( L \\ m II e(Tn^i, P) e(Cn~i Hi (IDn-i) r Ppuh) ) 
Ci = H( L \\ m \\ e(To, P) e (co Hi (IDq) r Ppub)) 
C2 ^ H( L \\ m II e(Ti, P) e(Ci Hi(IDi), Ppub)) 
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cj, ^ H( L W m W e(Ti,.i, P) e(Cj,.i Hi (IDi,,i) , P^ut) ) 
wherein if i = 0, l,---,n-l and Cn=Co, then the ID-based ring 
signature is determined to be valid; and if otherwise, the 
ID-based ring signature is rejected. 

11. An apparatus for generating an identity-based ring 
signature by using bilinear pairings, comprising: 

a trusted authority; 

a user; and 

a signer, 

wherein the apparatus performs the steps of: 

at the trusted authority, generating a set of system 
parameters shared by the user and the signer and storing the 
set of system parameters in a memory of each of the user and 
the signer; 

at the trusted authority, generating a public key and 
a private key for the user and the signer by using the set 
of system parameters, thereby transmitting the generated 
public and the private keys to the user and the signer 
through a secure channel, respectively; 

at the user, concealing content of a message and 
requesting a ring signature for the content-concealed 
message to the signer; 

at the signer, producing the ring signature based on 
identity (ID) of the user, thereby forming an ID-based ring 



signature for the content-concealed message; and ' 

at the user, verifying validity of the ID-based ring 
signature. 

12. The apparatus of claim 11, wherein the system 
parameters includes : 

a ^cyclic group G; 

G' s order g; 

G's generator P; 

the trusted authority's public key Pp^b described by 
Ppub = s ' where s is the master key; and 

hash functions H and Hi described by H: {0^1}* and 
Ui: {0,1 f ^ G, where xs a cyclic multiplicative group, 
wherein the bilinear pairings e are defined by e: G x G ^ V, 
where is a cyclic multiplicative group of the order q and 
uses cyclic multiplicative group Z^ , 

the user's public key Qjoi is describejl by Qj£,i = Ei(IDt) r 
where IDi is the user's identity, i being a user index which 
is an integer ranging from 1 to n, 

the user's private key Sjoi is described by Sjdi = s • 

QlDi r 

the initial signature value is computed by c^^i = H(L \\ 
m II e(Ar P)), where k is a signer index, L is a set of 
identities of users, m is a content-concealed message to be 
ring-signed and A is a random element of the cyclic group G, 

the additional signature values are • generated by Ci+j = 



H(L II m II eCTi, P) e(CiHi(IDi), Pp^b) ) , for "i" corresponding 
to one of values of all modulo n (k+1,---, n-1, 0, 1, k-1), 
where Ti is a random value of the cyclic group G, 

the ID-based ring signature value, Tk, is calculated by 
Tk = A - Ck SiDkf 

the ID-based ring signature is obtained in a form of a 
sequence (cq, Tq, Ti,---, Tn-i) , and 

the validity of the ID-based ring signature is 
determined by means of the following Equations: 

Ck^i = H( L II in II e(A, P)) 

Ck*2 = HC L II in II e(Tk*ir P) e (Ck^i Hi(IDk^i), Pp^b) ) 

c„ = HC L II in II e(T„.i, P) e (Cn-i Hi (IDn-i) , Ppub) ) 
ci = H( L \\ m \\ e(To, P) e(Co Hi(IDo), Ppub)) 
C2 = H( L \\ m II e(Ti, P) e(ci Hi(IDi), Ppub)) 

Ck = Hi L \ m \ e(Tk-ir P) e(Ck.i Hi (IDk-i) , Ppub)) 
wherein if i=0, l,---, n-1 and Cn=co, then the ID-based ring 
signature is accepted to be valid; and if otherwise, the ID- 
based ring signature is rejected. 



